Hi there Carlos - The main reason people say you should have both is that many customers do things completely legitimately (like mail forwarding) that break SPF. Any of those messages that lack DKIM will automatically fail DMARC, and customers will wonder what the heck happened to their mail, which is why it's advised that you should have both SPF and DKIM before moving to a reject or quarantine policy.
On Wed, Aug 12, 2015 at 1:46 PM, Carlos P via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Hello, > > > I am new to DMARC and have a question: It is necesary to setup both SPF > and DKIM in order to "quarantine" or "reject". I can not tell that from the > RFC[1] neither searching this list, but there are some other places [2][3] > that say so. > > > Is not finding a DKIM or SPF record considered a failure by itself when > p!=none? > > If so, I would like to know the rationale behind. Is it to make it a > little more resilient to "small" and trascient mistakes? > > Thank you > > > [1] http://tools.ietf.org/html/rfc7489 > > "2. Receivers compare the RFC5322.From address in the mail to the SPF > and DKIM results, if present, and the DMARC policy in DNS." > > later > > "Identifier Alignment: When the domain in the RFC5322.From address > matches a domain validated by SPF or DKIM (or both), it has > Identifier Alignment" > > [2] https://support.google.com/a/answer/2466563 > > "Important: Before creating a DMARC record for your Google Apps domain, > you must first set up DKIM authentication. If you fail to set up DKIM > first, email from services such as Google Calendar will fail mail > authentication and will not be delivered to users." > > > [3] > http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html > > "DMARC can (and will) break your mail flow if you don't set up both SPF > and DKIM before changing DMARC policy to anything above 'none'." > > -- > > Carlos Pantelides > @dev4sec > seguridad-agile.blogspot.com > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > -- PAUL ROCK Principal Programmer/Analyst | AOL Mail P: 703-265-5734 | C: 703-980-8380 AIM: paulsrock 22070 Broderick Dr.| Dulles, VA | 20166-9305
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
